The server-side 服务器端auth_socket authentication plugin authenticates clients that connect from the local host through the Unix socket file. auth_socket身份验证插件对通过Unix套接字文件从本地主机连接的客户端进行身份验证。The plugin uses the 该插件使用SO_PEERCRED socket option to obtain information about the user running the client program. SO_PEERCRED套接字选项来获取有关运行客户端程序的用户的信息。Thus, the plugin can be used only on systems that support the 因此,该插件只能在支持SO_PEERCRED option, such as Linux.SO_PEERCRED选项的系统上使用,例如Linux。
The source code for this plugin can be examined as a relatively simple example demonstrating how to write a loadable authentication plugin.这个插件的源代码可以作为一个相对简单的示例来检查,演示如何编写一个可加载的身份验证插件。
The following table shows the plugin and library file names. The file must be located in the directory named by the 下表显示了插件和库文件名。文件必须位于plugin_dir system variable.plugin_dir系统变量命名的目录中。
Table 6.21 Plugin and Library Names for Socket Peer-Credential AuthenticationSocket对等凭据身份验证的插件和库名称
| Server-side plugin | auth_socket |
| Library file | auth_socket.so |
The following sections provide installation and usage information specific to socket pluggable authentication:以下部分提供了特定于套接字可插拔身份验证的安装和使用信息:
For general information about pluggable authentication in MySQL, see Section 6.2.17, “Pluggable Authentication”.有关MySQL中可插拔身份验证的一般信息,请参阅第6.2.17节,“可插拔身份认证”。
This section describes how to install the socket authentication plugin. For general information about installing plugins, see Section 5.6.1, “Installing and Uninstalling Plugins”.本节介绍如何安装套接字身份验证插件。有关安装插件的一般信息,请参阅第5.6.1节,“安装和卸载插件”。
To be usable by the server, the plugin library file must be located in the MySQL plugin directory (the directory named by the 为了让服务器使用,插件库文件必须位于MySQL插件目录(由plugin_dir system variable). plugin_dir系统变量命名的目录)中。If necessary, configure the plugin directory location by setting the value of 如有必要,在服务器启动时通过设置plugin_dir at server startup.plugin_dir的值来配置插件目录位置。
To load the plugin at server startup, use the 要在服务器启动时加载插件,请使用--plugin-load-add option to name the library file that contains it. --plugin-load-add选项命名包含它的库文件。With this plugin-loading method, the option must be given each time the server starts. For example, put these lines in the server 使用此插件加载方法,每次服务器启动时都必须给出该选项。例如,将以下行放入服务器my.cnf file:my.cnf文件中:
[mysqld] plugin-load-add=auth_socket.so
After modifying 修改my.cnf, restart the server to cause the new settings to take effect.my.cnf后,重新启动服务器以使新设置生效。
Alternatively, to load the plugin at runtime, use this statement:或者,要在运行时加载插件,请使用以下语句:
INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
INSTALL PLUGIN loads the plugin immediately, and also registers it in the mysql.plugins system table to cause the server to load it for each subsequent normal startup without the need for --plugin-load-add.INSTALL PLUGIN会立即加载插件,并将其注册到mysql.plugins系统表中,以便服务器在每次后续正常启动时加载它,而不需要--plugin-load-add。
To verify plugin installation, examine the 要验证插件安装,请检查INFORMATION_SCHEMA.PLUGINS table or use the SHOW PLUGINS statement (see Section 5.6.2, “Obtaining Server Plugin Information”). For example:INFORMATION_SCHEMALUGINS表或使用SHOW PLUGINS语句(请参阅第5.6.2节,“获取服务器插件信息”)。例如:
mysql>SELECT PLUGIN_NAME, PLUGIN_STATUSFROM INFORMATION_SCHEMA.PLUGINSWHERE PLUGIN_NAME LIKE '%socket%';+-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | auth_socket | ACTIVE | +-------------+---------------+
If the plugin fails to initialize, check the server error log for diagnostic messages.如果插件初始化失败,请检查服务器错误日志中的诊断消息。
To associate MySQL accounts with the socket plugin, see Using Socket Pluggable Authentication.要将MySQL帐户与套接字插件相关联,请参阅使用套接字可插拔身份验证。
The method used to uninstall the socket authentication plugin depends on how you installed it:用于卸载套接字身份验证插件的方法取决于您的安装方式:
If you installed the plugin at server startup using a 如果您在服务器启动时使用--plugin-load-add option, restart the server without the option.--plugin-load-add选项安装了插件,请在不使用该选项的情况下重新启动服务器。
If you installed the plugin at runtime using an 如果您在运行时使用INSTALL PLUGIN statement, it remains installed across server restarts. INSTALL PLUGIN语句安装了插件,则它在服务器重新启动时仍会安装。To uninstall it, use 要卸载它,请使用UNINSTALL PLUGIN:UNINSTALL PLUGIN:
UNINSTALL PLUGIN auth_socket;
The socket plugin checks whether the socket user name (the operating system user name) matches the MySQL user name specified by the client program to the server. 套接字插件检查套接字用户名(操作系统用户名)是否与客户端程序向服务器指定的MySQL用户名匹配。If the names do not match, the plugin checks whether the socket user name matches the name specified in the 如果名称不匹配,插件会检查套接字用户名是否与mysqluser系统表行的authentication_string column of the mysql.user system table row. authentication_string列中指定的名称匹配。If a match is found, the plugin permits the connection. 如果找到匹配项,插件将允许连接。The authentication_string value can be specified using an IDENTIFIED ...AS clause with CREATE USER or ALTER USER.authentication_string值可以使用带有IDENTIFIED...AS子句的CREATE USER或ALTER USER指定。
Suppose that a MySQL account is created for an operating system user named 假设为名为valerie who is to be authenticated by the auth_socket plugin for connections from the local host through the socket file:valerie的操作系统用户创建了一个MySQL帐户,该用户将通过auth_socket插件进行身份验证,以便通过socket文件从本地主机进行连接:
CREATE USER 'valerie'@'localhost' IDENTIFIED WITH auth_socket;
If a user on the local host with a login name of 如果本地主机上登录名为stefanie invokes mysql with the option --user=valerie to connect through the socket file, the server uses auth_socket to authenticate the client. stefanie的用户使用选项--user=valerie调用mysql通过socket文件进行连接,服务器将使用auth_socket对客户端进行身份验证。The plugin determines that the 插件确定--user option value (valerie) differs from the client user's name (stephanie) and refuses the connection. --user选项值(valerie)与客户端用户名(stephanie)不同,并拒绝连接。If a user named 如果名为valerie tries the same thing, the plugin finds that the user name and the MySQL user name are both valerie and permits the connection. valerie的用户尝试了同样的操作,插件会发现用户名和MySQL用户名都是valerie,并允许连接。However, the plugin refuses the connection even for 但是,如果连接是使用不同的协议(如TCP/IP)进行的,即使是瓦莱丽,该插件也会拒绝连接。valerie if the connection is made using a different protocol, such as TCP/IP.
To permit both the 为了允许valerie and stephanie operating system users to access MySQL through socket file connections that use the account, this can be done two ways:valerie和stephanie操作系统用户通过使用该帐户的套接字文件连接访问MySQL,可以通过两种方式完成:
Name both users at account-creation time, one following 在帐户创建时命名两个用户,一个在CREATE USER, and the other in the authentication string:CREATE USER之后,另一个在身份验证字符串中:
CREATE USER 'valerie'@'localhost' IDENTIFIED WITH auth_socket AS 'stephanie';
If you have already used 如果您已经使用CREATE USER to create the account for a single user, use ALTER USER to add the second user:CREATE USER为单个用户创建了帐户,请使用ALTER USER添加第二个用户:
CREATE USER 'valerie'@'localhost' IDENTIFIED WITH auth_socket; ALTER USER 'valerie'@'localhost' IDENTIFIED WITH auth_socket AS 'stephanie';
To access the account, both 要访问该帐户,valerie and stephanie specify --user=valerie at connect time.valerie和stephanie在连接时都指定--user=valerie。